Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add client_secret_expires_at to OAuth Applications #30317

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

ThisIsMissEm
Copy link
Contributor

@ThisIsMissEm ThisIsMissEm commented May 15, 2024

This allows us to support future client_secret expiry, whilst also advertising that clients do not currently expire automatically. This is inspired by Auth0's Open Dynamic Client Registration documentation.

Time at which the client_secret will expire or 0 if it will not expire. The time is represented as the number of seconds from 1970-01-01T00:00:00Z as measured in UTC until the date/time of expiration.

— OAuth 2.0 Dynamic Registration, RFC 7591, Section 3.2.1

This PR requires #30316 to be merged, since the OAuth Application vacuuming currently does not have any predictable expiration properties. So if we leave OAuth Application vacuuming in as currently existing, the value of 0 would not be correct, since the client could be vacuumed at any point in time after 1 day.

This allows Application developers to prepare and be adaptive to when we may introduce client_secret expiry in the future, such that they can know when their application would expire. (Supporting this would require a database migration to add a column to the oauth_applications table for expiry).

@@ -27,6 +27,8 @@
client_id: token.application.uid
)
)

expect(body_as_json[:client_secret_expires_at]).to_not be_present
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm undecided as to if this value should or should not be returned here.

Copy link
Contributor

This pull request has merge conflicts that must be resolved before it can be merged.

@ThisIsMissEm ThisIsMissEm force-pushed the feat/add-client_secret_expires_at-to-oauth-applications branch from 917cac0 to 9544ee5 Compare May 17, 2024 14:40
Copy link
Contributor

This pull request has resolved merge conflicts and is ready for review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

1 participant